Hello
When PDF document is signed with AutoCollectRevocationInfo set to true, signature handler knows that it should embed revocation info into a signature. That revocation info (CRL) resides on some server, ready for downloading and information about that location is stored with certificate.
I need to know whether SBB downloading CRL all the time (each time when document is signed with one certificate), or is caching CRL somewhere and uses that cached CRL until it is valid (not expired). This is very important aspect because of optimization when there are a lots of documents to be signed. Certainly we don't want to look for and download CRL each time. If SBB is caching CRLs, I need to know, where physically it is stored on hard disk (path to it)? What is the caching policy, does SBB keeps cache until CRL is valid?

Also since we can register both HTTP and LDAP CRL retriever, is there a possibility to know whether we have downloaded CRL via HTTP or LDAP? We somehow need a way to assure customer that we're able to download it in both ways, because sometimes those servers have to be restarted, but never both in the same time. Is there an event or something like that which I can catch and write down in log how CRL is retrieved?

SBB used TElX509CertificateValidator internally to collect revocation info (CRLs, OCSPs etc.). TElX509CertificateValidator has internal cache of already downloaded CRLs that can be reused between revocation collection procedures. This cache is stored in memory and is not saved to disk.

However internal instance of TElX509CertificateValidator is destroyed after each revocations collection procedure so you should create your own instance and pass it to a component using TElPDFAdvancedPublicKeySecurityHandler.OnCertValidatorPrepared event handler.

Ok, I can make my own instance of TElX509CertificateValidator outside of the event and then pass it in event handler. But that would mean that if I make a service which is signing documents, and my class lives all the time application lives and I don't restart service for a five days, that I will end up with CRL which is 5 days old?
Is there a way to access to revocation info of TElX509CertificateValidator and check whether it has come a time to download CRL again (DateTime.Now > TElCertificateRevocationList.NextUpdate)?

CRL cache is a global object, so keeping one instance of TElX509CertificateValidator is not necessary (i.e. it can be recreated safely).

CRLs are kept in cache until they expire or until application shutdown whatever happens earlier.

There's SBCRLStorage.Unit.CRLManagerAddRef() function that returns an instance of TElCRLManager class via which you can get to CRLs kept in the cache. This class is not documented as it was designed for internal use only and we don't plan to make CRL cache public (at least at the moment). You can study the source code (SBCRLStorage.pas) if you are interested in how CRL cache looks like.

This way we tell that TElX509CertificateValidator (or TElCRLManager) can use both HTTP and LDAP CRL retriever. The only information that I need is not what they retrieve, but which of those two retrievers worked. My customer somehow wants to be sure that we can use both retrievers, because their CA sometimes restart HTTP or LDAP server, but never both in the same time.

I saw that TElX509CertificateValidator have event OnBeforeCRLRetrieverUse. Can I use this event to somehow make log which of retrievers will be used to retrieve CRL (HTTP or LDAP)?

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.